All businesses and organisations implement strategies to achieve their goals and objectives. The achievement of such goals and objectives produces many benefits such as inter alia:
However, the pursuit of objectives and goals are accompanied by many risks. The success of businesses and organisations, including SMEs, in achieving their strategic goals and objectives is dependent on how effectively and efficiently they manage risk.
Moreover, in order to accelerate growth and create sustainable long-term value, SMEs must proactively and optimally take on more risks, subject to their risk appetite.
In other words, SMEs must determine whether the pursuit of goals, opportunities and objectives are worth the risk, whether the benefits will exceed the cost of the risks and whether the business has the competencies, resources and capabilities to mitigate the risks.
The current business environment requires that businesses must embrace digital transformation, i.e. to digitalise their operations in order to satisfy new customer demands, offer new products and services, automate processes, systems and operations to boost the quality of products and services, reduce cost, increase efficiencies, build agility and improve communication with customers, staff and other stakeholders, etc.
However, the pursuit of such a digital strategy comes with a high likelihood of cyber-attack risks in the form of data breaches, ransomware, viruses, locking of systems, etc.
The consequences and impact of such risk, if not adequately mitigated, are disruption of operations – like the widely publicised disruption of IT systems of Transnet due to cyber-attacks -, poor customer services, payment of ransom money, theft of data and intellectual property – Standard Bank recently had a data breach where customer records were exposed – and other assets, damage to reputation and brand, etc.
Therefore, it is in the SMEs best interest to identify risk and mitigate the impact of such risk. The benefits of managing this risk will far outweigh the cost of the risk.
SMEs must develop strategies to mitigate the risk identified. Strategies to mitigate the cyber-attack risks include developing and updating security policies, developing capabilities and acquiring resources to identify, prevent and control cyber-attacks, sensitise and train own staff and users about awareness of cyber risks and how to avoid falling victim to it, password controls, etc.
The management of SMEs is ultimately responsible for the identification and management of risk. Therefore, SMEs must develop and nurture a risk consciousness culture.
Risk management must be infused in strategic planning, decision-making, problem-solving and the day-to-day management of operations.
SMEs must at all times be aware and sensitive to all risks in the business. However, risk cannot be efficiently mitigated without knowing and understanding it adequately, with devastating consequences when failing to know and understand risks that the SMEs are exposed to.
In addition, SMEs must develop and implement a structured and robust process and methodology that enables them to identify strategic, operational, financial, compliance and other risks.
The outcome of such a risk management methodology is a risk register that sets out major identified and measured risks, action plans and the timing to mitigate such risks as well as the persons responsible for the implementation and outcome of the action plans.
The risk register must be regularly updated as risk constantly arises and changes in organisations. Such a risk register should become a top agenda item in executive committee and management meetings.
A structured risk management methodology is a documented series of steps, processes, systems, procedures, techniques, team roles and responsibilities and policy to enable management to identify, measure and assess risk, and develop robust actions plans to mitigate and manage enterprise risk.
Senior-, middle-, and lower management must fully participate in the risk management process as risks exist on all levels and have an effect on the business as a whole. A typical risk management methodology consists of the following summary steps:
This methodology will give rise to a risk register that must be communicated to all stakeholders, implemented and monitored on a regular basis.
The following are key risk areas in SMEs that must be monitored, assessed and managed on a regular basis:
Small- and medium-sized enterprises (SMEs) are seen as a panacea to South Africa’s growing unemployment. The National Development Plan forecasts that 90% of the 11m new jobs will come from the SME sector by 2030. However, research data shows that this may not be the case as the SME sector’s share of this new jobs growth in the private sector is disappointingly low.
SMEs are also expected to contribute significantly to the country’s GDP as approximately 95% of businesses consist of SMEs, like in other countries. The National Development Plan also forecast that by 2030, SMEs will contribute 60% to 80% of the GDP.
In contrast, SMEs actual contribution to GDP in SA is disproportionately low, according to the research data. This situation is a result of the exceptionally high failure rate of SMEs. Between 70% – 80% of SMEs do not survive past the first five years. Amongst the key reasons cited for this high failure rate is the lack of appropriate business skills and knowledge, according to a survey report of The SA Institute of Chartered Accountants.
Poor risk management is invariably linked to the high failure rate amongst SMEs. However, the effective and efficient management of enterprise risk management may enable SMEs to overcome this high failure rate. Unfortunately, effective risk management is among the key competencies that SMEs lack.
Therefore, the development of risk management skills and using such skills may go a long way in enabling SMEs to improve performances, accelerate growth and create sustainable long-term value for their stakeholders, as well as minimise losses and prevent small problems to escalate into crises.